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EDR Activation and Setup 


To successfully install and use Qualys EDR in your environment, the following 
configuration steps are required: 


1. Install the Qualys Cloud Agent on target host 

2. Assign the target agent host to an EDR enabled Cloud Agent Configuration Profile 

3. Activate EDR for the target agent host (If EDR is not enabled in the Cloud Agent 
activation key) 


When Asset Tags are strategically used for host assignment, step 2 (listed above) can 
potentially be performed prior to agent installation (step 1). 


Identify Assets Missing EDR 


Endpoint security starts with visibility. The EDR application automatically identifies 
agent hosts that do not have EDR enabled and hosts running older version of the Cloud 
Agent. 

You can find such assets on the EDR Welcome page under the "Discover and Monitor" 
section. 

The “Windows hosts missing EDR” widget identifies agent hosts that do not have EDR 
enabled and the "Windows hosts with older agent versions" widget identifies hosts 
running Cloud Agent version lower than 4.0.0. 


© Qualys. Cloud Piattorr 


Endpoint Detection and Response DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES 


Welcome to Qualys EDR” 


roach to Endpoint Detection and Response. 


= Detect and Investigate Respond and Prevent 
sly discover and dynamically monitor IT Assets with their Detect, Analyze, and Prioritize Malicious events and File less attacks. Use the multi old response capat 
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Activate EDR Module 


You can activate EDR on agent assets from the agent "Quick Actions" menu. 
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Activate Agent 
Deactivate Agent 
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Activate for FIM or EDR or PM 


Deactivate Agent for FIM or EDR or PM 


Simply select the "Activate for FIM or EDR or PM" option to enable EDR for a given 
asset. Alternately you can also use Cloud Agent APIs to activate EDR in bulk across 
multiple agent assets. 


Integrated Anti-Malware Protection 


Qualys Multi-Vector EDR now includes integrated antimalware detection capabilities, 
providing additional real-time protection against the latest threats. This convergence of 
Malware Protection Products with Endpoint Detection & Response (EDR) delivers 
comprehensive protection against known and unknown threats. 


Key capabilities include: 
e On-access protection: prevents new malware threats from entering the system 
by scanning local and network files when they are accessed (opened, moved, 
copied or executed), boot sectors, and potentially unwanted applications (PUA). 


e On-demand scanning: scans the file system and memory for malware and other 
threats and takes remediation actions 


e  Behavioral-based protection: operating on a zero-trust assumption, Qualys 
Malware Protection can monitor active applications and processes for any signs 
of malicious behavior. It relies on actual behavior characteristics instead of 
signatures or binary or code fingerprints. This allows Qualys Malware Protection 
to consistently detect new ransomware variants, other zero-day threats, and file- 
less attacks 


e Network and Traffic Protection: prevents malware from being downloaded to 
the endpoint by scanning incoming emails and web traffic in real-time. In 
addition, protect against attack techniques used to gain access to specific 
endpoints, such as brute-force attacks, network exploits, and password stealers. 
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e Phishing Protection: Automatically block known phishing web pages to prevent 
users from inadvertently disclosing private or confidential information to online 
fraudsters. 


Malware detection events captured on the agent host can be viewed and analyzed from 
the Qualys Cloud Console, allowing customers to enrich malicious events with 
contextual event data collected by Qualys EDR. 


Configuration Profile 


EDR host assets must belong to a Configuration Profile with the "EDR" module enabled. 


Configuration Profile Edit Turn help tips: On| Off — X 
Edit Mode Endpoint Detection and Response 
General Info Enable EDR module for this profile qr 


Blackout Windows Configuration 


These settings define operational setting for the agent 
Performance 


CESARE Max event log size* 1024 KB(10 - 10240) 

agent scaniMerce Payload size to transmit to platform 

VM Scan Interval Payload threshold time* secs(30 - 1800) 
Maximum time between EDR payloads sent to the server 

PC Scan Interval 


Maximum disk usage for EDR Data* 1024 


MB(500 - 5120) 
SCA Scan Interval 


Maximum disk usage for EDR Data 


FIM 


C Enable Malware Protection for this Profile [ on @) 


PM 


Ensure the “Enable EDR module for this profile” switch is in the “ON” position. 


Max event log size — EDR events are transmitted to the Qualys Cloud platform when the 
EDR event log file reaches the maximum specified size. You can specify a file size 
between 10 KB and 10240 KB. Default is 1024 KB. This value can be lower if the Payload 
threshold time is lower. 


Payload threshold time — EDR events are transmitted to the Qualys Cloud platform 
when the EDR payload threshold time is hit, i.e., the specified seconds elapse after the 
previous payload was sent to the Qualys Cloud Platform. You can specify a threshold 
between 30 seconds and 1800 seconds. Default is 60 seconds. This value is lower the 
better to prevent data loss on busy systems. 


Maximum disk usage for EDR Data — This is the maximum size on disk available to a 
Cloud Agent for caching EDR events to be sent to the Qualys Cloud Platform for 
processing. If the maximum size is reached, the oldest events are deleted in order to 
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create space for newly generated events. You can specify a disk usage size between 100 
MB and 2048 MB. Default is 1024 MB. 


Navigate to the following URL to view the "EDR Activation and Setup" tutorial: 


http://ior.ad/7fEO 


Enable Malware Protection for this Profile — If your Qualys account has the Integrated 
Malware Protection feature enabled, you can enable this feature in the Cloud Agent 
profile to install Malware Protection on your agent host. 


AV Profile 


For agent hosts with the Malware Protection feature enabled in the configuration 
profile, the EDR manifest is installed on the agent host with Qualys Malware 
Protection's integrated set of basic virus definitions. The Malware Protection module 
starts updating the latest virus definitions as soon as it is installed. As the virus 
definitions are downloaded on the endpoint, the Default antivirus configuration as 
shown below is also downloaded on the endpoint asset. 
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(3)  Last30 
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Total AV Profile 


1-10f 1 


PROFILE NAME DESCRIPTION ACTIVE ON ASSETS ON ACCESS SCAN — ON DEMAND SCAN BEHAVIORAL NETWORK PROTECTION NETWORK ATTACK DEFENSE — CREATED BY LAST UPDATED 


Default default profile for all assets 16 Disabled Not Scheduled Disabled Disabled Disabled System 20 hours ago 
DEFAULT 


BY SETTINGS 


You can view and edit the Default AV (anti-virus) Profile from under the 
"CONFIGURATION" tab to enable required Malware Protection features for the agent 
host. The agent will receive the changes through an updated EDR manifest. 


Navigate to the following URL to view the "Malware Protection Activation and Setup" 
tutorial: 


https://ior.ad/7TOA 


Upgrade Multiple Agent Activation Keys 


Within the EDR application, you can upgrade multiple Cloud Agent Activation Keys to 
use EDR. On the EDR welcome page, simply click "Configure Agents for EDR" and then 
select one or more agent keys to upgrade. All the agents associated with the activation 
key/keys will be upgraded and enabled for EDR. 
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Navigate to the following URL to view the "Upgrade Agent Activation Keys" tutorial: 


PLAY à http://ior.ad/7gh9 


View Assets 


The "Assets" section in the EDR application contains list of agent host assets with the 
EDR and Malware Protection modules activated. Here you can get up-to-date views on a 
selected asset's details, its events, and incidents in one place. 


For agent hosts with the Malware Protection feature enabled in the agent configuration 
profile, the AV status is updated to "Installed Functioning" after the module is installed 
and the latest anti-virus definitions are downloaded on the host. 
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Assets Assets OUTRE OL 


196 


Total Assets 


1-50 of 196 


NAME © OPERATING SYSTEM AGENT VERSION LAST CHECKED IN CREATED ON AV STATUS LAST LOGGED IN USER 
win8hq01 ES Microsoft Windows Embedded 8.1 Industry Pr.. 4.6.1.6 Nov 05, 2021 Sep 01 , 2021 Installed qualys 
feB0:0:0:0:bf:d572:a0db:2596, 10.46.10. Functioning 


TAGS 


Cloud Agent win2k12-65-53 EZ Microsoft Windows MultiPoint Server2012 St.. — 4.3.1.107 Nov 05 , 2021 Apr 14,2021 ` WmsShell 


Investigate Events & Incidents 


Qualys Cloud Agents collects file, process, mutex, network, and registry events from 
their hosts. An incident may be comprised of multiple events associated with the 
detected malware. 


EDR Events 


An "object" is an artifact on the system, without state information. The agent collects 
data for 5 types of objects: 
e File — Portable Executable (PE) and non-PE files (PDF, XLS, PPT, etc.) on local 
attached disks (called “image”) 
PE is a file format for executables, object code, DLLs and others used in 32-bit 
and 64-bit versions of Windows operating systems. It is used for EXE,DLL,SYS 
(device driver) and other file types. Agent collects data for both user files and 
kernel files. 


e Process — a running process, usually from an image 

e Process Network Connection — a network state of a process 

e Mutex - Mutant Handle, a shared memory resource used by processes 

* Registry — Windows, locations used for persistence (auto-start) 
Actions and events on the object include state information. The agent collects data 
about various objects and associated actions on the object in real-time. You can see 
information about objects along with their state in the EDR application. 
An object with its state information includes: 

* File 


Created | Deleted | Renamed | Write 


e Process 
Running | Terminated 


e Mutex 
Running | Terminated 


e Network 
Established | Closed | Listening 


* Registry 
Created | Deleted 


Hunting section 


You can see information about objects along with their state in the EDR app under the 
"Hunting" section. 
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Hunting 


events... Last30 Days v 


523K 


Total Events 


1-200 of 522788 


5 days ago Malicious mutex \BaseNamedObjects\RasPbFile is created HQWIN81RD27 9 Webco. 

229:28 AM 10.46.105.134 PUA 

5 days ago Malicious mutex \Sessions\1\BaseNamedObjects\MSCTF.Asm.MutexDefault1 is created HQWIN81RD27 F Webco. 
EVENT ACTION ener 10.46.105.134 PUA 
created 25 days ago B Malicious file C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.e. " INWIN19RD27 8 Webco. 


123:54 PM 10.46.105.54 PUA 


25 days ago E Malicious file C:\MalwareEXE\2f8e794a-4ffa-1 1e7-b813-80e65024849a.exe is created INWIN16RD27 ^ Rdn 
6:40:01 PM 10.46.105.53 Trojan 


25 days ago E Malicious file C:\MalwareEXE\1 e84ff45-41 4b-11e8-b837-80e65024849a.exe is created INWIN16RD27 8 Agen 
6:40:0 10.46.105.53 Trojan 


18 days ago E Malicious file C:\Users\qualys\Desktop\shadowbroker-master\shadowbroker-master\windows. HQWIN1032RD27 3 Equatio 
42 N 10.46.105.49 Trojan 


You can filter and search for malicious file, process, mutex and network related events. 
This way, you reduce potentially thousands of events, to the few that matter. 

You can group events by event Type (file, process, mutex and network), Action (file 
creation, network connection established or listening, process running or terminated, 
etc.) and event Score and perform remediation actions. 


Simply use the "Quick Actions" menu of an event, to select the "Event Details" option 


€— Event Details 


Malware 


Score a Mutex for a Malicious Process 


Family Webcompanion 


Category PUA 


M. 5b1da240-8753-4218-a1e4-b4cec48670ed 282484113218700286 1356 
Event Collected Date Oct 9, 2020 11:16 PM 


Object Type MUTEX 


Handle 
Handle Action RUNNING 
Handle Name \BaseNamedObjects\ZoneAttributeCacheCounterMutex 


Handle Type Mutant 


Image 
Image Name C:\Program Files (x86)\Lavasoft\Web Companion\Application 
Image Full Path C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe 
MD5 7faaaf139ca5919e9970b5bc98ec1422 


SHA256 1205d3b4feccd8ef5aafd15be85fe05f84f21831f7d8f68db4b4e5be2ba14581 


The "Event Details" page displays details such as image path, associated user, process 
ID, MD5/SHA256 hash value, etc. about the object (file/process/mutex/network 
connection) and the object state (file created, process/mutex running or terminated, 
network listening on a port, network connection established). 


Event Score 


The Qualys EDR detection and scoring engine natively correlates all event telemetry 
data to commercial threat feed and research from Qualys Malware Labs and assigns 
each event and asset, a score between 0 to 10. The scoring system is dependent on the 
object type associated with the event and the threat perception. 


An event with score 0 is a non-malicious event. An event with a score 1 indicates that a 
remediation NVcorrective action was performed on the event, and it is no longer a threat. 
Scores between 2 to 10 indicate malicious behavior related to file, process, or network 
activity with varying confidence levels. 


Scores between 2 to 4 indicate malicious events at a low confidence level, 5 to 7 
indicate malicious events at a medium confidence level and scores between 8 to 10 


indicate confirmed malicious events with a high confidence score. 


These scores assist incident responders to prioritize their response actions. 
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Event Relationship Tree 


On the "Event Details" page, you can see the event relationship tree which helps you 
visualize how a malicious object is tied to other objects on the asset which provides 
better context for understanding the attack chain. As with all things hunting, context is 
important, and we can often get more context by looking at the parent and children of 
processes. 


Ab event of "Process" type will show its parent and child processes along with the 
mutex and network connection of the process. 


For the event of Network type, you see network connection of a process and for the 
event of Mutex type, mutex connection of a process. 


127.0.0.1 : 58042 


© Network 7 © 3: 58039 


Qo BitTorrent.exe © 


Oo Mutex 3 0.0.0.0 : 1900 


10.113.213.206 : 58040 


0.0.0.0: 21778 


This information is useful for proactive threat hunting and for analysis during a post- 
breach investigation. 


Navigate to the following URL to view the "EDR Events" tutorial: 


https://ior.ad/7EJN 


EDR Incidents 


An EDR Incident is comprised of one or more events that are related to one another, as 
part of a detected malware infection or host compromise. 
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An Incident can consists of one of more File, Process, Mutex, Network, or Registry 
events. The "Incidents" section contains the list of all active incidents in your 
environment. 


A summary of the total number of detected event types is provided at the top. 
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Search incidents by risk score. 
Last 30 Days v 


Incidents 


1 7 DETECTED INCIDENTS 


Total Incidents 1 2 5 0 0 0 
Contains Process Contains File Contains Network Contains Registry Contains Mutex 
MALWARE FAMILY 1-17 of 17 
delf 2 
generic 3 DETECTED v RISK SCORE INCIDENT DESCRIPTION os HOST DETECTED EVENTS 
ruberoid 2 n m 
a day ago e 
rubeus 3 A pida 8 Rubeus activity found ServerDC01 testlab.interr. Ai " 
6: : mem vent 
Click on any incident to 
MALWARE CATEGORY a day ago ma i view its details. Process 
9 Rubeus activity found ServerDC01.testlab.interr 
downloader 3 6:33:19 AM — 3 Events 
hacktool 3 
t 4 P 
e us 9 Ruberoid activity found BE Microsoft Windows Server 201.. DCO1.test.local roars? 
5:35:13 AM 1 Event 
Fil 
Search incidents by malware 8 Rubeus activity found EE Microsoft Windows Server 201.. DCO1.test.local fered 
family and category. 
P 
b 9 Delf activity found EE Microsoft Windows 10 Pro 10...  GILO9470M iene 


Using Qualys search and filter capabilities, you can investigate incidents by the Malware 
category and by Malware family names. 


You can click any Incident Description to view its list of events and other details. 


Risk Score of a host incident is based on the highest single event score. If the risk score is 
zero, then the incident is considered remediated or non-malicious. 


Navigate to the following URL to view the “EDR Incidents” tutorial: 


https://ior.ad/7Jid 
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Hunt for Suspicious Activity 


Adversaries, and cybercriminal organizations in particular, are building tools and using 
techniques that are becoming so difficult to detect that organizations are having a hard 
time knowing that intrusions are taking place. 


Threat hunting is the proactive technique that's focused on the pursuit of attacks and 
the evidence that attackers leave behind when they're conducting reconnaissance, 
attacking with malware, or exfiltrating sensitive data. 


Organizations need tools that not only detect and respond to threats, but can 
proactively hunt them as well. Such tools can accelerate threat discovery to identify a 
potential compromise before it's too late. 


Hunting Section 


The Hunting section provides search and filter capabilities to quickly find all about your 
incidents, events and assets in one place. You can search for incidents and assets in the 
respective tabs in the similar way. You'll notice the Search box while viewing dynamic 
lists of events, incidents, and assets. This is where you'll enter your search query. Enter 
the value you want to match. As you start typing in the search box, you will see a 
predefined list of query tokens that you can choose from. 
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Use query tokens to 
search for specific events 


523K or assets 


Total Events 


Q Search for events... Last30Days v 


1-200 of 522788 


Malicious mutex \BaseNamedObjects\RasPbFile is created E onc Webco. = 
28 AM 1c PUA 
5 days ago & Malicious mutex \Sessions\1\BaseNamedObjects\MSCTF.Asm.MutexDefault1 is created E uc Webco. de 
2:29:28 AM T PUA 
25 days ago. E) Malicious file C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.e..-  B$ IN g “+ mE 
1:23:54 PM 10 PUA 
25 days ago E) Malicious file C:\MalwareEXE\2f8e794a-4ffa-11e7-b813-80e65024849a.exe is created HN BH ™ 
6:40:01 PM 0 rojar 
25 days ago E) Malicious file C:\MalwareEXE\1e84ff45-414b-11e8-b837-80e65024849a.exe is created ow g ^" 
40:01 PM 10 rojar nid ið 
Malicious file C:\Users\qualys\Desktop\shadowbroker-master\shadowbroker-master\windows. "uw nop te aa = 
) r 


EDR online help provides details on the search language and sample queries. 
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Once you have your search results you may want to organize them further into logical 
groupings. Choose a group by option on the left side. You'll see the number of events or 
assets per grouping. Click on any grouping to update the search query and view the 
matching events. 


Tip - Use your queries to create dashboard widgets on the Dashboards tab. 


You can download event search results to your local system you can easily manage 
incidents or events outside of the Qualys platform and share them with other users. You 
can export results in CSV format. 


Threat Hunting Queries 


Threat hunting is a combination of tools and techniques. Tools can provide information 
across endpoints; how these tools are used constitute the techniques. Needless to say 
that any technique you use is only effective with a proper understanding of your own IT 
environment. 


The following examples can be used to identify suspicious activity in your environment. 


Suspicious use of system processes 

Service Host ("svchost.exe") is a system process that hosts multiple Windows services. 
Normal usage is to use the "-k" argument to define the service (via DLL) to instantiate, 
e.g. "svchost.exe -k imgsvc". This will display the service name that is loaded by svchost. 
Threat actors try to evade detection by injecting malware directly into svchost.exe 
instead of calling their code directly, thus there is no "-k" argument. The following query 
will easily identify such suspicious instances: 

type: PROCESS and process.name: svchost.exe and action: 
RUNNING and not process.arguments: “-k” 


System process not running from windows directory 

If a file named similar to a system process such as svchost.exe or csrss.exe 

but is located in a directory other than "C:\Windows\System32\", this indicates that it 
is not a system file and is malicious. You can identify instances of such system processes 
not running from their expected locations by using the following query: 
process.name:svchost.exe and type:process and not 
process.fullPath:"C:\Windows\System32\svchost.exe" 


PowerShell Execution Bypass 

The PowerShell execution policy is the setting that determines which type of PowerShell 
scripts (if any) can be run on the system. By default it is set to "Restricted", which 
basically means none. When PowerShell is invoked with the execution bypass argument 
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nothing is blocked and there are no warnings or prompts. Attackers can use this method 
to launch PowerShell scripts and evade detection. The following query identifies such 
PowerShell invocations: 

type:PROCESS and process.name:powershell.exe and 
process.arguments:"ExecutionPolicy Bypass" 


PowerShell Obfuscation encoded command 

The attacker could use PowerShell encoded commands in Base64 to obfuscate the 
malicious activity to evade legacy antivirus and other traditional means of detection. 
Executing PowerShell scripts with encoded commands could be an indicator of a 
malicious attack. The following query can be easily used to identify such instances. 
type:PROCESS and process.name:powershell.exe and 
(process.arguments:"-encodedCommand" or 
process.arguments:"-enc") 


Process running from Recycle bin or TEMP location 

The SRECYCLE.BIN has a special purpose in Windows Explorer so items inside of it 
cannot be interacted with. This does not prevent the executables from being listed as a 
service, start-up entry, or used from command line. So malware in such locations could 
be dangerous as well. You can easily identify if any process was launched by a malicious 
file in the recycle bin as illustrated by this query: 
process.image.path:Recycle.bin 


Process with network connection 

Some attackers are writing their malware in Java, a language antivirus software doesn't 
typically scan for. Java is a common platform in enterprises, and many data centres have 
it on their white lists, allowing these applications to bypass security controls. Just 
blocking the Java language isn't typically an option. So tracking suspicious activity 
involving Java may come in handy to uncover such attacks. The following query 
identifies any java processes making network connections where the environment may 
not be configured to allow such an activity: 

network.process.name:java or network.process.name:jre 


Leverage MITRE ATT&CK Framework 


MITRE ATT&CK defines the tactics, techniques, and procedures that are leveraged by 
adversaries and malware. MITRE ATT&CK is more behavioral focused that analyzes 
when humans or malware leverage the built-in operating system binaries, utilities, or 
capabilities which otherwise might not be malicious on their own. 
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EDR helps detect malicious behavior on the endpoint by evaluating the events in context 
with MITRE ATT&CK. Having ATT&CK context also aids analysts when hunting for and 
responding to incidents within their environment. 


Currently, EDR includes the following list of rules as per the MITRE ATT&CK framework 
to help analyze the events registered on the agents. 


e T1053.005 Rule to detect the creation of scheduled task using different binaries 
listed 


e T1090.003 Rule to detect establishment of multi-hop proxy using TOR 


e  T1098.002 Rule to detect PowerShell process running with argument Add- 
MailboxPermission 


e T1115 Rule to detect PowerShell process running with argument Get-Clipboard 


e T1127.001 Rule to detect events where msbuild.exe is running as a child process 
under given parent process list 


e 71201 Rule to detect discovery of password policy using net1.exe binary 

e  T1218.001 Rule to detect execution of hh.exe binary 

e T1218.005 Rule to detect execution of mshta.exe binary 

e T1218.009 Rule to detect execution of Regasm/Regsvcs binary 

e T1218.011 Rule to detect execution of Rundll32 binary 

e 71220 Rule to detect execution of MSXSL binary 

e T1569.002 Rule to detect execution of system services using processes listed 
With each release, Qualys continues to add more rules to help classify the events 


appropriately. 


You can use search tokens in the "Hunting" section to search for events by their tactic ID 
and name and by the technique ID and name in context of MITRE detections. 


The applied ATT&CK tactics and techniques are displayed for applicable events on the 
Event Details page. 
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Tracking Threats via Dashboards 


Endpoint Detection and Response ~ DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES 


QLYS-Suspicious Process Usage ~ 
Last 30 Days v © 


RECYCLE BIN WITH PROCESS SVCHOST NO -K 


0 0 


showing last 30 days T showing last 30 days 4 


POWERSHELL OBFUSCATION ENCODED COMMAND VERCLSID.EXE WITH NETWORK CONNECTIONS 


Dashboards help you visualize your assets, see your threat exposure, leverage saved 
searches, and remediate priority of malicious/suspicious events quickly. You can use the 
default EDR dashboard provided by Qualys or easily configure widgets to pull 
information from other modules/applications and add them to your dashboard. You can 
also configure widgets to track remediations and to find if a host is getting re-infected 
over time. You can add as many dashboards as you like to customize your vulnerability 
posture view. 


Navigate to the following URL to view the "Hunt for Suspicious Activity" tutorial: 


http://ior.ad/7gnT 


17 


Perform Remediation Action 


After data that describes the threat has been collected, the business and technical 
impact has been identified, and context data has been gathered — remediation can get 
underway. 


Remediation Actions 
You can remediate malicious file events, using the following options: 


* Quarantine File: Using this option, the file is encrypted and then moved to the 
Quarantine folder (C:\ProgramData\Qualys\QualysAgent\Quarantine\) on your 
agent host. The Quarantine folder is automatically created once you upgrade to 
Cloud Agent version 4.0 for Windows and above. 


You can undo this action and restore the file to its original position using the 
UnQuarantine File action from the Responses section, under the User Activity 
tab. 


* DeleteFile: Using this option, the file is permanently deleted from your agent 
host. You cannot undo this action. 


e Kill Process: For process, mutex, and network events, we provide Kill Process 
remediation action. When you perform the Kill Process action for mutex or 
network events, it kills the corresponding parent process. 


Remediation actions can be performed for File, Process, Network, and Mutex events 
from the Hunting section and from the Event Details page. The remediation options are 
available only for: 

- Events in Active\Current View 

- Events that score between 1 to 10 


Navigate to the following URL to view the "Perform Remediation Action" tutorial: 


http://ior.ad/7fLG 
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Configure Rule Based Alerts 


Rule Based alerts provide ongoing detection even after you've completed your hunt, 
automatically triggering alerts for similar malicious behaviour based on both historical 
and real-time activity. This eliminates the need to manually search the same security 
holes over and over by leveraging time-saving automation. 


Under the "Responses" section, "Actions" tab you need to first configure a rule Action 
that will be used with the rule configured in the subsequent step. 


Endpoint Detection and Response DASHBOARD INCIDENTS HUNTING ASSETS RESPONSES 


Responses [US Nis MS UTER ELEC Actions 


Q Search for actions... 


Currently, EDR supports three actions: Send Email (Via Qualys), Post to Stack and Send 
to Pager Duty for alerts. 


Next, under "Rule Manager", you need to create a rule with trigger conditions and rule 
actions for sending the alert. EDR will use the rule action settings to send you the alerts. 
You can monitor alerts under the "Activity" tab. 
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Hunting [TIS CUM Historic View 


(indicator.score >= 3 and indicator.threatfeed >= 3) and indicator.threatfeed:'8* Last Month 


47.8K UE 


Total Events Save this Search Query 


Manage Saved Searches 


You can also create rules directly from custom queries used for searching events or 
threat hunting as illustrated above. 


Navigate to the following URL to view the "Configure Rule Based Alerts" tutorial: 


https://ior.ad/7gzK 
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Correlate Prevention Across Multiple 
Vectors 


Multi-vector attacks take advantage of common vulnerabilities, combining elements like 
social engineering and 'spear phishing' e-mail messages with malicious attachments that 
contains code that exploits known or unknown (zero-day) vulnerabilities on the target 
system. While these attacks might rely on commodity malware, they are often 

tailored to bypass most antivirus engines. 


Qualys EDR creates a Single View of the Asset, showing threat hunting details unified 
with other Qualys Cloud Apps for hardware and software inventory, vulnerability 
posture, policy compliance controls, and file integrity monitoring change alerts for on- 
premise servers, cloud instances, and off-net remote endpoints. 


A single user interface significantly reduces the time required for incident responders 
and security analysts to hunt, investigate, detect, and respond to threats before breach 
or compromise can occur. 


With combination of Qualys CyberSecurity Asset Management (CSAM), VMDR, Patch 
Management (PM) and EDR you can eliminate the root-cause of most malicious attacks 
by addressing exploitable vulnerabilities and misconfigurations. 


Eliminate Blind Spots 


Endpoint security starts with visibility. Qualys CSAM provides you a single source of 
truth for your assets. It's a central location where you can view your data collected from 
your different sensors you've deployed. Data collected from your sensors automatically 
populate into asset inventory. That data is then normalized and categorized so you can 
better make sense of it and group it in many ways. Because you're getting an inventory, 
you are completing the first step of the security and compliance teams which is visibility. 


CSAM tells what endpoints, servers, technologies you have in your environment. This 
provides vital context needed for endpoint security and lets you know exactly where 
EDR can be deployed for eliminating blind spots. 


CSAM supports use of elastic queries which helps you quickly identify assets from your 
infrastructure missing EDR capability. 


You can also use dashboard widgets to dynamically track if a critical asset is missing EDR. 
And you can then tag such assets and activate EDR on them. 
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Identify Assets with EOL/EOS Software 


Every product has a lifecycle. The lifecycle begins when a product is released and ends 
when it's no longer supported. When a software reaches end-of-life or EOL, it is no 
longer sold or marketed by the vendor and it may not receive new feature updates. And 
when a software hits the end-of-support (EOS) stage, it no longer receives maintenance 
updates or upgrades from the vendor. 


If cybercriminals discover a vulnerability in such EOL/EOS software, there is no 
guarantee that this vulnerability will be patched by the vendor. Cybercriminals often 
tend to weaponize such a vulnerability and use it to their advantage. 


Timely response to security critical events becomes increasingly important if EOL/EOS 
and vulnerable software is present within the enterprise environment. 


CSAM provides the necessary visibility into the asset and software inventory and into 
the corresponding lifecycle stages. CSAM also allows you to define software 
authorization rules to determine what software is allowed or not allowed in your 
environment, including specific software versions and update levels. 


EDR can benefit from this visibility into the asset inventory and software lifecycle 
information. Security teams benefit from this visibility and they can identify security 
gaps on critical assets, allowing timely response to contain or eradicate threats and 
prevent any breach\compromise from spreading across the enterprise infrastructure. 


The following query in CSAM identifies Windows assets with EOL/EOS software: 
operatingSystem:windows and 
software: (lifecycle.stage:EOL/EOS) 


Going further, you can identify Windows assets that are not enabled for EDR and which 
have EOL/EOS software of the category "Network Application/ Internet Browser" using 
the following query: 

operatingSystem:windows and 
software:((lifecycle.stage:EOL/EOS) and category: Network 
Application / Internet Browser’) and not 
sensors.activatedForModules:EDR 


Identify Vulnerabilities with Malware Associations 


In the "Hunting" tab you can see Incidents related to different malware categories such 
as trojans, backdoors, exploits and so on. 


You can run queries under the "Vulnerabilities" tab in VMDR to easily search for all 
vulnerabilities linked to the specific malware category. 
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The following is a sample query to find vulnerabilities linked to the TROJAN malware 
category: 

vulnerabilities: threatintel.malware = true and 
vulnerabilities: threatintel.malware.malwarename-TROJ 


From there, you can identify the assets with such vulnerabilities by simply switching the 
search result to display asset information. 


© Qualys. < j Platform 


VMDR DASHBOARD VULNERABILITIES PRIORITIZATION SCANS REPORTS REMEDIATION ASSETS KNOWLEDGEBASE USERS 


Vulnerabilities 


Vulnerability v vulnerabilities.vulnerability.threatIntel.malware:true and vulnerabilities.vulnerability.threatIntel.malwareName:TROJ 


2 58 Vulnerability GrupBy.. v | | Ê Fitters v 


Total Assets 


Demo-WU-VM07 EZ Microsoft Windows 10 Enterprise 10.0.17763 64-bit N/A Build 17763 \Administrator Inventory Sci 
2 minutes ag 


LAST LOGGED ON USER 
\Administrator Win2012-KomalA EE Microsoft Windows Server 2012 Standard 6.2.9200 64-bit N/A Build 9200  qualys 


qualys 
HQWIN81RD27 


Identify Vulnerabilities associated with RTIs 


VMDR also allows you focus on vulnerabilities that have threats associated with them. 
These Real-time Threat Indicators or RTIs correlate asset vulnerabilities to external 
threat vectors such as actively attacked vulnerabilities, wormable threat, zero-days, 
denial of service attacks, high lateral movement, etc. 


By correlating vulnerability information with threat intelligence and asset context, you 
can quickly “zero in” on your highest risk vulnerabilities and quickly patch them. 


The following is a sample query to look for assets with at least one vulnerability that is 


considered wormable and is known to cause high data loss: 
vulnerabilities.vulnerability.threatIntel: (wormable: "TRUE" 
and highDataLoss:"TRUE") 


Address Vulnerabilities with Patch Management 
After identifying assets with exploitable vulnerabilities, you can quickly find out all 
missing patches for these exploitable vulnerabilities. Then using VMDR’s integrated 
workflow for Patch Management (PM), you can create a patch job to patch all such 
vulnerabilities across the environment, which otherwise could have been exploited and 
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your team would need to put in time to detect, investigate, again correlate and respond 
to such incidents. 


© Qualys ud Platform 


Patch Management DASHBOARD PATCHES ASSETS JOBS CONFIGURATION 


Patch Catalog 


aid: [90983, 120098] 


4 agentId: [1ce6a248-2050-4574-b04b-64967bf7c185,35c9aed3-a783-44ac-8004-6293f3600d28, 750018b1-2574-48ea-af1d-aa8133e102c0] 


Total Patches 


Actions (4) v|| XB riters v 


APP FAMILY Add to Existing Job 

Windows Add to New Job 

Internet Explorer up for Server 2012: September 8, 2020 (KB4577038) MS20-09-MRB-45.. Non-SecurityP.. 91413 
10 KB4577038 184 more. 


i 
VENDOR Security Update for Adobe Flash Player: June 9, 2020 (KB4561600) MS20-06-AFP-456.. Security Patch.. 370385 
Microsoft Published on Jun 09, 2020 KB4561600 ve 


Published on Aug 11, 2015 K83078601 
Security Patches 


ical 
CATEGORY Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Executio. MS15-080 Security Patch.. 90983 
ical 


Non-Security Pat. Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Executio. MS15-080 Security Patch.. 90983 
Published on Aug 11, 2015 KB3078601 30 more. 


Identify and Address Misconfiguration 


An adversary may identify and exploit weaknesses in the configuration of your 
infrastructure. These weaknesses could include architectural flaws, misconfigurations, 
or improper security controls. Searching for failing controls mapped to spread of 
malware or ransomware or controls mapped to MITRE technique may help identify such 
misconfigurations and reduce the attack surface. 


Combining this context with EDR provides for better threat investigation and assists in 
fixing misconfiguration that may otherwise lead to malware infections in your 
environment. 


Navigate to the following URL to view the "Correlate Prevention Across Multiple 
Vectors" tutorial: 


https://ior.ad/7fUF 
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EDR Certification Exam 


Participants in this training course have the option to take the EDR 
Certification Exam. This exam is provided through our Learning Management 
System (qualys.com/learning). 


To take the exam, candidates will need a "learner" account. 


Qualys. Training & Certification 


qualys.com/learning 


Please log in to the Qualys training site. First time users 
need to create an account. 


*Required Field 


* Username: 


* Password: 


Forgot your password? Request a new account. us 


If you would like to take the exam, but do not already have a "learner" account, click the 
"Request a new account" link, from the "Qualys Training & Certification" login page 
(qualys.com/learning). 


Once you have created a "learner" account (and for those who already have an 
account), click the following link to access the “Qualys Multi-Vector Endpoint Detection 
and Response - QSC 2021" course page: 


https://gm]1.geolearning.com/geonext/qualys/scheduledclassdetails4enroll.geo?&1d—22511237811 
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© Qualys. Training & Certification 


My Home+ Learner Information + &- 


Course Catalog: Class Details e 
Course: Qualys Multi-Vector EDR - QSC 2021 


Close Record 


To see how a class below fits into your schedule, click View My Class Schedule. 


CLASS DETAILS: QUALYS EDR - QSC 2021 


Course Name: 
Class Name: 
Class Code: 


Qualys Multi-Vector EDR - QSC 2021 
Qualys EDR - QSC 2021 
2250729076520210917122310 


Contact Name: Vikram Kamat 


Private Class: Yes 
Maximum Class Capacity: 5000 
ClassCost: $0.00 


Session Name à Location Classroom Address 1 Address 2 City State Postal Code Times Instructor(s) 


Monday, November 15, 2021 9:00 AM to 1:00 PM (America/Los Angeles) (UTC -07:00) Vikram Kamat 


From the "Qualys Multi-Vector EDR — QSC 2021" course page, click the "Enroll" button 
(lower-right corner). 


Session 1 N/A N/A N/A N/A N/A N/A N/A 


After successfully completing the course enrollment, click the "Launch" button, for 
the Qualys EDR certification Exam. 


Class Name Date Location Classroom Instructor(s) 


Vikram Kamat 


Monday, November 15, 2021 9:00 AM to 1:00 PM (America/Los Angeles) (UTC -07:00) N/A N/A 


Qualys EDR - QSC 2021 


To access a learning activity, select the activity name and click Launch or Open. 


Activity Name a Type Progress Last Accessed Time Taken Attempts 


N/A N/A N/A 


QSC 2021 EDR Lab Supplement Epaf 


QSC 2021 EDR Slides pdf 


Qualys Endpoint Detection and Response Exam Actual Test Not Attempted 


Each candidate is provided five attempts to pass the exam. 


Print Certificate 


= Activities 


Class Name Date Location Classroom Instructor(s) 


Vikram Kamat 


Qualys EDR - QSC 2021 Monday, November 15, 2021 9:00 AM to 1:00 PM (America/Los Angeles) (UTC -07:00) N/A N/A 


To access a learning activity, select the activity name and click Launch or Open. 


Activity Name à Type Progress Last Accessed Time Taken Attempts Action 


QSC 2021 EDR Lab Supplement fl par NIA N/A N/A 0 


QSC 2021 EDR Slides pdr 


Qualys Endpoint Detection and Response Exam Actual Test Not Attempted 
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With a passing score of 7596 (or greater), click the "Print Certificate" button to 
download and print your course exam certificate. 
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